So I’m a baby dev, still in Uni and they don’t allow internships in 4th year due to some issues with it so not even that exp wise.
I don’t know enough, and I’m trying to learn but there’s so much! My Uni degree doesn’t cover security at all. Which is shit, bc I think I want to work in that? Mostly I’m just spooked and want to understand everything I can 'cause I love the internet and want to feel safer wandering about it.
I’m scared of clicking on links. Even ones here, like there was a post about a book list earlier and I was just there like “Cmoon… someone please have posted the lissssst.”
Would anyone be willing to share what they do for their own security? Especially if it’s ridiculously over the top. Included reasonings and details would be adored!
Also, if anyone has any books or references that might be good for learning sec from a programmatic view rather than a IT view I’d really love that! Anything at all.
Regardless, hope anyone reading this has an absolutely wonderful day and best of luck with everything you’re up to!
I purchased a mini PC from Amazon and installed OPNsense on it. Enabled a massive geo-ip block firewall rule (fuck Russia, China, DPRK, and all ITAR restricted countries), downloaded several hosts blocks that Unbound can use as a DNS sinkhole and force every device i own to use that mini PC as the DNS as well as the IPS/IDS of my entire network by sitting between my wifi router and modm to intercept all network activity. I have also installed SecurityOnion on another PC that acts as a log aggregate for every device on my network and use it as a SIEM to track malware and possible malicious pivoting based on MITRE att&ck framework and finally I have Wazuh agents installed on any host that allows it to track any malware that wants to enable command & control of any of my devices.
As for clicking links, the bad days of the Internet are largely behind us. Any link you click is unlikely to damage your computer without additional action on your part. Still don’t click on obvious bullshit because there’s no sense taking a step towards danger, but in general don’t worry about that side of things.
I use Firefox with ghostery, privacy badger and ublock.
I run a homebrew version of pihole to block DNS requests for screwy domains or known crud, and it mostly just pulls in the pihole lists.
For operating system, I use fedora or Manjaro, depending on the computer. Starting to grumble at Manjaro, so we’ll see how that goes. Out of the box firewall settings for the “use” computers, and locked down for the server, with incoming ports opened for specific services. DNS, ssh on an alternative port, http/s, my VPN. More ports are open on the internal network side, like mqtt. It runs applications so most things like DB ports are local only.
I have a windows computer for gaming and such, but I don’t use it for much else. Not for security reasons, just because the design of windows rubs me the wrong way and I think it’s needlessly complicated.
I let windows defender manage itself and since it’s not doing anything other than steam and a handful of toy projects that need the graphics card, it’s not a risk.
Network topology is to have the Internet connected to a router. The router is connected to a small commercial switch. The router is configured to direct incoming traffic to the server which handles it.
In an ideal world, traffic from the Internet would be directly handled by the server and it would function as the gateway router, but setting that up is annoying and I have limits.
Router also works as a wireless access point, which is mostly system default. I’ve wanted to get a second access point configured so I can segregate automated devices from personal devices, but I don’t think the threat or cleanliness is worth the potential cost or effort so it’s been delayed indefinitely.
Most interesting devices connect to the switch, which I can setup to do vlan stuff as part of ongoing project mentioned just above. Delayed. :(
Server security: ssh on a non standard port. Stops the vast majority of fuckery. 22 -> 2222 . Easy to remember and it’s weak security, but too easy to skip.
No password login permitted for root, ssh key only.
Selinux configured in enforcement mode, and I don’t cheat. When something gets locked down I actually figure out what permission it needs and give it that one, instead of just giving it full permissions.
User accounts are required to have good passwords and use ssh keys or password with MFA for remote access.
Software either comes from the system repositories, a trusted packager, or is written by me.
I use fail2ban with normal settings for anything that figures out the ssh port, which isn’t much.
Database access is password protected with different users for different applications and databases. Tables permissions are limited to what’s needed.
I don’t trust docker containers so I don’t use them.
Data is backed up to a Synology Nas configured to require MFA for login, and positioned so the server proxies to it, so it’s public for web access but gets the servers shield.
My work computer is a Mac, and it’s fine. I let them manage it since it’s theirs. On general principle I don’t respect it, but that’s just because the UI is dippy and their unix cli tools are inferior.
I think that’s everything security adjacent.
Edit: and use a password manager and MFA for everything that will let you! Passkeys > authenticator app “push” > app numeric code > text message > nothing.
Regarding books, I don’t know if too many. There’s a lot to cover.
- do not write your own crypto. The closer you can get to letting someone else do everything the better off you’ll be. Oauth or saml based login providers are great, because they handle basically everything.
- assume everything from the user or “outside” is evil.
- put a length limit on things, even if it’s big.
- don’t put security in the UI. Once the user is running it, it can lie to you as well.
- don’t keep data you don’t need.
- validate your inputs. Check to make sure that date is actually a date before writing it to the DB.
- always use prepared DB statements. Make sure whatever you’re doing escapes SQL. Really truly never build SQL statements by putting data from the user into a string.
- don’t use default credentials, and don’t build default credentials into your apps.
https://juice-shop.herokuapp.com/
That’s a test app from owasp, a respected name in Internet security. A great way to learn to not make mistakes is to take advantage of them. This helps you do that.
https://owasp.org/www-project-top-ten/
They maintain a list of the most popular mistakes. Read them, and don’t do them.
Ctfs are “capture the flag” competitions. They’re a good way to get a feel for what different vulnerabilities there are, and how they work.
https://picoctf.org/index.html#picogym
That’s a good one to play with at first, since it’s got good puzzles. You’ll learn some SQL injection at least.
A lot of low level security is automated in checks that run against code, or should be. Big security issues tend to be architectural.